Overcoming Zookeeper ACLs

How to get super user access to Zookeeper Access Controls

In the middle of Kerberizing a Confluent Kafka 4.1.0 cluster, my pair and I had set our permissions incorrectly on a few Kafka zNodes. Little did we know we were in for some fun. With our limited familiarity of ZooKeeper, we stumbled on the following ways of getting do-want-I-want access for changing ZK ACLs.

Option 1: Setup a Super User

This is my favorite option for environments beyond my location machine, only requires

Setting an zookeeper property for Zookeeper startup

Restarting Zookeeper

Using zookeeper-shell to activate super user

We’ll setup a super user using the zookeeper.DigestAuthenticationProvider.superDigest property. For Kafka, we used KAFKA_OPTS env variable to set the JVM param. Other mechanisms for setting JVM params. The user is super and the credentials are super123 . See appendix for generating customer credentials incase these don’t work.